** event. Otherwise if the ordering has it that pass rule events are
** processed after a drop or alert you will see the drops and alerts,
** and the pass event just causes us to stop processing any more events
-** on the packet, but the packet does not pass. Also, the --treat-drop-as-alert
-** flag causes any drop/block/reset rules to be loaded as alert rules.
-** The default has been to ignore them on parsing.
+** on the packet, but the packet does not pass.
**
** If this is less than clear, here's the $.02 version:
** default order -> pass drop alert log ( --alert-before-pass reverts
** the -o flag is useless, but accepted, for now.
** the max_events and log fields are reduced to only needing the log
** events field. max_fields is harmless.
-** ( drop rules may be honored as alerts in IDS mode (no -Q) by using
-** the --treat-drop-as-alert)
**
** FORMAL INPUTS
** OtnxMatchData * - omd to select event from.
output_flags &= ~OUTPUT_FLAG__INCLUDE_YEAR;
}
-void SnortConfig::set_treat_drop_as_alert(bool enabled)
-{
- if (enabled)
- run_flags |= RUN_FLAG__TREAT_DROP_AS_ALERT;
- else
- run_flags &= ~RUN_FLAG__TREAT_DROP_AS_ALERT;
-}
-
-void SnortConfig::set_treat_drop_as_ignore(bool enabled)
-{
- if (enabled)
- run_flags |= RUN_FLAG__TREAT_DROP_AS_IGNORE;
- else
- run_flags &= ~RUN_FLAG__TREAT_DROP_AS_IGNORE;
-}
-
void SnortConfig::set_process_all_events(bool enabled)
{
if (enabled)
RUN_FLAG__CREATE_PID_FILE = 0x00000040,
RUN_FLAG__NO_LOCK_PID_FILE = 0x00000080,
- RUN_FLAG__TREAT_DROP_AS_ALERT = 0x00000100,
- RUN_FLAG__ALERT_BEFORE_PASS = 0x00000200,
- RUN_FLAG__CONF_ERROR_OUT = 0x00000400,
- RUN_FLAG__MPLS_MULTICAST = 0x00000800,
-
- RUN_FLAG__MPLS_OVERLAPPING_IP = 0x00001000,
- RUN_FLAG__PROCESS_ALL_EVENTS = 0x00002000,
- RUN_FLAG__INLINE_TEST = 0x00004000,
- RUN_FLAG__PCAP_SHOW = 0x00008000,
-
- RUN_FLAG__SHOW_FILE_CODES = 0x00010000,
- RUN_FLAG__PAUSE = 0x00020000,
- RUN_FLAG__NO_PCRE = 0x00040000,
+ RUN_FLAG__ALERT_BEFORE_PASS = 0x00000100,
+ RUN_FLAG__CONF_ERROR_OUT = 0x00000200,
+ RUN_FLAG__MPLS_MULTICAST = 0x00000400,
+ RUN_FLAG__MPLS_OVERLAPPING_IP = 0x00000800,
+
+ RUN_FLAG__PROCESS_ALL_EVENTS = 0x00001000,
+ RUN_FLAG__INLINE_TEST = 0x00002000,
+ RUN_FLAG__PCAP_SHOW = 0x00004000,
+ RUN_FLAG__SHOW_FILE_CODES = 0x00008000,
+
+ RUN_FLAG__PAUSE = 0x00010000,
+ RUN_FLAG__NO_PCRE = 0x00020000,
/* If stream is configured, the STATEFUL flag is set. This is
* somewhat misnamed and is used to assure a session is established */
- RUN_FLAG__ASSURE_EST = 0x00080000,
+ RUN_FLAG__ASSURE_EST = 0x00040000,
+ RUN_FLAG__DUMP_RULE_DEPS = 0x00080000,
- RUN_FLAG__TREAT_DROP_AS_IGNORE= 0x00100000,
- RUN_FLAG__DUMP_RULE_DEPS = 0x00200000,
- RUN_FLAG__TEST = 0x00400000,
+ RUN_FLAG__TEST = 0x00100000,
#ifdef SHELL
- RUN_FLAG__SHELL = 0x00800000,
+ RUN_FLAG__SHELL = 0x00200000,
#endif
#ifdef PIGLET
- RUN_FLAG__PIGLET = 0x01000000,
+ RUN_FLAG__PIGLET = 0x00400000,
#endif
- RUN_FLAG__MEM_CHECK = 0x02000000,
- RUN_FLAG__TRACK_ON_SYN = 0x04000000,
- RUN_FLAG__IP_FRAGS_ONLY = 0x08000000,
+ RUN_FLAG__MEM_CHECK = 0x00800000,
- RUN_FLAG__DUMP_RULE_STATE = 0x10000000,
+ RUN_FLAG__TRACK_ON_SYN = 0x01000000,
+ RUN_FLAG__IP_FRAGS_ONLY = 0x02000000,
+ RUN_FLAG__DUMP_RULE_STATE = 0x04000000,
};
enum OutputFlag
void set_process_all_events(bool);
void set_show_year(bool);
void set_tunnel_verdicts(const char*);
- void set_treat_drop_as_alert(bool);
- void set_treat_drop_as_ignore(bool);
void set_tweaks(const char*);
void set_uid(const char*);
void set_umask(uint32_t);
bool inline_test_mode() const
{ return get_ips_policy()->policy_mode == POLICY_MODE__INLINE_TEST; }
+ bool passive_mode() const
+ { return get_ips_policy()->policy_mode == POLICY_MODE__PASSIVE; }
+
bool show_file_codes() const
{ return run_flags & RUN_FLAG__SHOW_FILE_CODES; }
bool pcap_show() const
{ return run_flags & RUN_FLAG__PCAP_SHOW; }
- bool treat_drop_as_alert() const
- { return run_flags & RUN_FLAG__TREAT_DROP_AS_ALERT; }
-
- bool treat_drop_as_ignore() const
- { return run_flags & RUN_FLAG__TREAT_DROP_AS_IGNORE; }
-
bool alert_before_pass() const
{ return run_flags & RUN_FLAG__ALERT_BEFORE_PASS; }
{ "--talos", Parameter::PT_IMPLIED, nullptr, nullptr,
"enable Talos tweak (same as --tweaks talos)", },
- { "--treat-drop-as-alert", Parameter::PT_IMPLIED, nullptr, nullptr,
- "converts drop, block, and reset rules into alert rules when loaded" },
-
- { "--treat-drop-as-ignore", Parameter::PT_IMPLIED, nullptr, nullptr,
- "use drop, block, and reset rules to ignore session traffic when not inline" },
-
{ "--tweaks", Parameter::PT_STRING, nullptr, nullptr,
"tune configuration" },
else if ( v.is("--talos") )
sc->set_tweaks("talos");
- else if ( v.is("--treat-drop-as-alert") )
- sc->set_treat_drop_as_alert(true);
-
- else if ( v.is("--treat-drop-as-ignore") )
- sc->set_treat_drop_as_ignore(true);
-
else if ( v.is("--tweaks") )
sc->set_tweaks(v.get_string());
active_status = AST_WOULD;
active_would_reason = WHD_IPS_INLINE_TEST;
}
+ else if ( p->context->conf->passive_mode() )
+ {
+ active_status = AST_WOULD;
+ active_would_reason = WHD_INTERFACE_IDS;
+ }
}
void Active::update_status(const Packet* p, bool force)
active_action = ACT_BLOCK;
update_status(p, force);
- if ( force or ( p->context->conf->inline_mode() and SFDAQ::forwarding_packet(p->pkth) )
- or p->context->conf->treat_drop_as_ignore() )
+ if ( force or (p->context->conf->inline_mode() and SFDAQ::forwarding_packet(p->pkth)))
Stream::block_flow(p);
p->disable_inspect = true;
active_action = ACT_RESET;
update_status(p, force);
- if ( force or ( p->context->conf->inline_mode() and SFDAQ::forwarding_packet(p->pkth) )
- or p->context->conf->treat_drop_as_ignore() )
+ if ( force or (p->context->conf->inline_mode() and SFDAQ::forwarding_packet(p->pkth)))
Stream::drop_flow(p);
if ( p->context->conf->is_active_enabled() )
otn->sigInfo.services.emplace_back(si);
}
-// only keep drop rules ...
-// if we are inline (and can actually drop),
-// or we are going to just alert instead of drop,
-// or we are going to ignore session data instead of drop.
-// the alert case is tested for separately with SnortConfig::treat_drop_as_alert().
-static inline int keep_drop_rules(const SnortConfig* sc)
-{
- return ( sc->inline_mode() or sc->adaptor_inline_mode() or sc->treat_drop_as_ignore() );
-}
-
-static inline int load_as_drop_rules(const SnortConfig* sc)
-{
- return ( sc->inline_test_mode() || sc->adaptor_inline_test_mode() );
-}
-
Actions::Type get_rule_type(const char* s)
{
Actions::Type rt = Actions::get_type(s);
if ( rt == Actions::NONE )
rt = ActionManager::get_action_type(s);
- const SnortConfig* sc = SnortConfig::get_conf();
-
switch ( rt )
{
case Actions::DROP:
case Actions::BLOCK:
case Actions::RESET:
- if ( sc->treat_drop_as_alert() )
- return Actions::ALERT;
-
- if ( keep_drop_rules(sc) || load_as_drop_rules(sc) )
- return rt;
-
- return Actions::NONE;
+ return rt;
case Actions::NONE:
ParseError("unknown rule type '%s'", s);
projects / thirdparty / snort3.git / commitdiff
